4 Next Steps
With the European Union’s General Data Protection Regulation (GDPR) deadline now behind us, the real work of maintaining ongoing compliance begins. In this article, Gartner’s Stephanie Quaranta outlines the actions privacy and compliance executives should take for the rest of 2018 and into next to ensure the effectiveness of GDPR-related changes.
The past two years have been busy ones for privacy and compliance executives. The formation of the General Data Protection Regulation (GDPR) in April 2016 gave organizations just over two years to understand the requirements, conduct a gap analysis and create and execute a plan for bringing their organizations into compliance.
Since then, privacy and compliance executives have led the charge in appointing Data Protection Officers, building out data protection impact assessment processes, revisiting breach requirements and much more. After two years spent focused on preparing their organizations for the May 25, 2018 implementation deadline, privacy and compliance executives are finally able to pick their heads up and take stock of the changes made. But now they are left to wonder: what’s next?
Though there is no one right answer to that question, there are four areas most organizations will want to invest in between now and 2020 to maintain ongoing compliance.
1. Operationalize Updated Standards and Policies
Organizations have spent the past two years building policies, procedures and processes to outline their organizations’ GDPR compliance strategy. Now, with the regulation in full force, privacy and compliance executives must focus on how to embed the changes they made in light of GDPR into business systems and operations. To enable this, organizations are targeting heavily impacted segments of the business for training, communications and ongoing partnership.
For example, while most B2C companies have been primarily focused on the management of customer data, GDPR stresses the importance of employee and candidate data and the need for a strong partnership with HR. GDPR impacts how record retention policies can be applied to employee and candidate records. Moreover, by giving individuals the right “not to be subject to a decision based solely on automated processing,” the regulation has introduced new challenges to how organizations manage talent analytics, from the recruiting phase throughout the employee life cycle. Impacted groups, from customer service representatives to sales teams, will need targeted messaging and support to understand how they must adapt their workflows in a post-GDPR world.
2. Ensure Effective Information Governance
Though improving information governance has long been a priority for privacy and compliance executives, GDPR execution has taken it off the back burner by introducing new and often complex requirements for how information should be collected, used and stored – and by raising the stakes for getting it wrong.
As a result, most organizations are investing in formalizing their information governance efforts. In fact, 37 percent of organizations have already put a formal information governance framework in place, while another 40 percent plan to implement one in the next 12 to 18 months. The vast majority of privacy and compliance executives plan to leverage their framework in ways that will support ongoing GDPR compliance, from building a more comprehensive understanding of the organization’s data assets to arriving at guidelines for the collection, use and retention of information across the organization.
Privacy and compliance executives should take advantage of the newfound momentum behind information governance initiatives to increase the function’s participation in decisions about the strategic use and appropriate protection of the organization’s information assets.
3. Drive GDPR Compliance into Third-Party Networks
For many privacy and compliance executives, the lesson of recent high-profile bribery and corruption failures or data breaches has been “ignore your third parties at your own peril.” Now that their own organizations are GDPR ready, these executives are turning their focus to the data processors in their third-party networks. In advance of the May 25 deadline, many organizations used their contracts with third parties as a way to ensure GDPR compliance, at least for the short term, by adding short addendums around GDPR requirements or, in the case of larger third-party relationships, revisiting the contract in its entirety. To maintain ongoing compliance, however, privacy and compliance executives must feel confident that their third-party partners have fully operationalized GDPR requirements. To do so, they will need to (a) educate third-party business sponsors about changing the expectations of third-party partners, (b) strengthen due diligence partnerships with procurement and other groups at the organization and (c) agree on a process for monitoring third-party compliance after the due diligence phase.
4. Monitor the Effectiveness of Your GDPR Readiness Efforts
Building new policies and processes was key to meeting the May 25 GDPR implementation date, but to maintain ongoing compliance, privacy and compliance executives need to be sure that they are working. Currently, organizations are going about this in different ways. Some organizations are conducting tabletop exercises and mock data breaches to ensure they are able to meet the GDPR’s 72-hour reporting requirement, should they need to. Others have put in place a set of GDPR-related metrics, tracking metrics from how long it takes to locate and delete a certain individual’s data to how many customers are clicking on updated privacy policies or explanations of how to view and revoke consent. Finally, there are organizations conducting formal audits of their GDPR readiness efforts, from their process for meeting a data subject’s access request to their updated consent procedures.
Though the approach might differ, the common denominator is clear: organizations want to test the processes they’ve put in place to both verify effectiveness and identify any potential issues before violations crop up.
On May 25 the real work of ensuring ongoing GDPR compliance began. For privacy and compliance executives, that will mean strengthening relationships with key partners to ensure that two years of GDPR readiness efforts have been effectively translated into operations.